Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger 401 issue with user-sync

Highlighted

Ranger 401 issue with user-sync

New Contributor

Hi All,


Trying to enable Ranger with AD and am getting issues with the usersync function. Below is the two errors, it seems like the user doing the sync is unable to authenticate to the Ranger Admin UI but dont know why. Anyone know how to fix this?


Ranger Admin Logs:

<IP-ADDRESS> - - [04/Apr/2019:14:59:06 +0000] "POST /service/xusers/ugsync/auditinfo/ HTTP/1.1" 401 - "-" "Java/1.8.0_191"

Ranger UserSync Logs:

04 Apr 2019 14:59:06 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add addorUpdate group user info
04 Apr 2019 14:59:06 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateGroup failed with exception: Failed to add addorUpdate group user info, for group: Role_Reader, users: [ssnape]
04 Apr 2019 14:59:06 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User : 
com.sun.jersey.api.client.UniformInterfaceException: POST http://<IP-ADDRESS>:6080/service/xusers/ugsync/auditinfo/ returned a response status of 401 Unauthorized
    at com.sun.jersey.api.client.WebResource.handle(WebResource.java:688)
    at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
    at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getUserGroupAuditInfo(LdapPolicyMgrUserGroupBuilder.java:522)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$300(LdapPolicyMgrUserGroupBuilder.java:68)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$4.run(LdapPolicyMgrUserGroupBuilder.java:495)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$4.run(LdapPolicyMgrUserGroupBuilder.java:491)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addUserGroupAuditInfo(LdapPolicyMgrUserGroupBuilder.java:491)
    at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.postUserGroupAuditInfo(LdapPolicyMgrUserGroupBuilder.java:474)
    at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:408)
    at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
    at java.lang.Thread.run(Thread.java:748)


I tried uninstalling and reinstalling the services and still no luck, also tried using just unix permissions and still can't connect. After digging around, I found that this setting looks like it could be wrong?

107609-1554402919466.png

as if I try to access that keystore i get the following:

[root@uksddemgmthwx09-hg11 3.1.0.0-78]# ll /etc/ranger/admin/conf/ranger-admin-keystore.jks
ls: cannot access /etc/ranger/admin/conf/ranger-admin-keystore.jks: No such file or directory


Any help would be appreciated.